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This document is an inttoduction to the syntax and semantics 
of the operators of TLA + . It assumes that you are familiar 
with ordinary mathematics (sets and functions) and are at least 
acquainted with TLA. It should enable you to understand the 
expressions that appear in TLA+ specifications. 
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The operators of TLA+ can be classified as constant operators, action oper- 
ators, and temporal operators. For convenience, all these operators are listed in 
Figures 1-4 on the next page through page 4. They are described in three separate 
sections. 

The ASCII versions of typeset special characters are shown in Figure 5 on 
page 5. In the absence of a reasonable alternative, TLA + uses the TgX command 
name for a symbol. (Sometimes there is more than one ASCII version for the same 
symbol; the different versions are synonymous.) 

1 The Constant Operators 

All the constant operators of TLA + are listed in Figure 1 on page 3 and Figure 2 on 
page 4. In these figures, p and pi are formulas, a; is a bound variable, h and hi are 
sequences of characters, the Cj are characters, the di are digits, and all other letters 
are terms. The operators are explained below, in more or less the order in which 
they appear in the figures. (The "miscellaneous operators" are defined earlier so 
they can be used in defining other operators.) 

The figures show the simple forms of the operators. Some operators have more 
general forms. For example, you can write 3 x, y : p instead of 3 :r : 3 y : p. 
The more general forms are described with the individual operators. 

1.1 Untypes 

TLA + is based on ZFC (Zermelo-Fraenkel set theory with the axiom of choice). 
This is an untyped formalism. In an untyped formalism, every syntactically well- 
formed expression, no matter how silly, has a meaning — for example, the expres- 
sion 3 e V'abc". If the expression is silly, its meaning is probably unspecified. 
All we can tell about the expression 3 e V'abc" is that it is a Boolean, so it equals 
either TRUE or FALSE. 

Mathematicians write silly expressions all the time. For example the expression 
1/0 is a silly expression. But if you substitute 0 for x in the formula (x ^ 0) =>• 
(x * (l/x) - 1), you get the valid formula (0 ^ 0) =^ (0 * (1/0) = 1) that 
contains the silly expression 1/0. A correct formula can contain silly expressions. 
However, the validity of a correct formula cannot depend on the meaning of a silly 
expression. 
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Logic 

TRUE FALSE A V -> =>• = 

V x : p 3x : p V x e S : p 3x e S : p 
CHOOSE x : p [Equals some x satisfying p] 

Sets 

= 7^G^Unc\ [set difference] 

{ei, . . . , e n ] [Set consisting of elements e,] 

{x e S : p} [Set of elements x in S satisfying p] 

{e : x e S} [Set of elements e such that a; in S] 

SUBSET S [Set of subsets of S] 

UNION S [Union of all elements of S] 

Functions 

/ [ e] [Function application] 

DOMAIN/ [Domain of function/] 

[i £ S i— > e] [Function / such that / [x] — e for x e S] 

[S T] [Set of functions / with f[x]e T for x e S] 

[f EXCEPT ![ei] = e{\ [Function / equal to / except /[ei] = e 2 ] 

{[/ EXCEPT ![e] e S} [Set of functions/ equal to/ except /[e] G S] 

Records 

e ./i [The /i-component of record e] 

[/il I— > e\, . . . , h n h-> e n ] [The record whose /ij componentis e^] 

[/il : S\,...,h n : S n ] [Set of all records with /ij component in Sj] 

[r EXCEPT ! ./i — e] [Record "r equal to r except 'r.h — e] 

{[r EXCEPT \ .h £ S 1 ]} [Set of records ? equal to r except "r.ft e S] 

Tuples 

e[i] [The i* component of tuple e] 

( ei, . . . , e„ ) [The n-tuple whose i* component is e,] 

Si x ... x S„ [The set of all n-tuples with i lh component in Sj] 

Strings and Numbers 

"Ci . . . C„" [A literal string of n characters] 

S TRING [The set of all strings] 

d\ . . . d n d\ . . . d n .d n+ i . . . d m [Numbers] 

Figure 1: Simple forms of the constant operators of TLA + . 
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Miscellaneous 

if p then e\ else e2 [Equals e\ if p trae, else e{\ 

case p\ — >• e\ □ ... □ p„ — >• e„ [Equals if p« true] 

let a^i — 61 ... x n — e n in 6 [Equals e in the context of the definitions] 

A pi [the conjunctional A ... A p n ] V p\ [the disjunction pi V ... V p n ] 

A p n V p„ 

Figure 2: Simple forms of the constant operators of TLA+ (continued). 



p' [p true in final state of step] 

[A] e Uv(e'=e)] 

(A) e [AA(e'^e)] 

ENABLED A [An A step is possible] 

UNCHANGED e [e' = e] 

^4 • S [Composition of actions] 



Figure 3: The action operators of TLA+. 



OF [F is always true] 

OF [F is eventually true] 

WF e (^4) [Weak fairness for action ^4] 

SF e (^4) [Strong fairness for action ^4] 

F ~> G [F leads to G] 

F ^> G [F guarantees G] 

3 x : F [Temporal existential quantification (hiding).] 

V x : F [Temporal universal quantification.] 

Figure 4: The temporal operators of TLA + . 
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Figure 5: ASCII versions of typeset special characters. 



1.2 Logic 

1.2.1 Propositional Logic 

In TLA + , we use the ordinary operators of propositional logic. Negation is denoted 
by -i (~ in ASCII), implication by =>■ (=>), and logical equivalence by = (\equiv 
or <=>), where A = B equals (A =>■ B) A (B =>• A). 

Among the propositional-logic operators, -> has highest precedence, A and V 
have next lower precedence, then comes =, and =>• has lowest precedence. Because 
A and v have equal precedence, an expression like A v B A C is illegal; parentheses 
must be used to disambiguate it. 

1.2.2 Predicate Logic 

We also use the ordinary universal quantifier V (\A) and existential quantifier 3 
(\E) of predicate logic. Bounded quantifiers are defined in terms of unbounded 
ones in the usual way: 

V x e S : p = Vx : (x e S) =>• p 
3x e S : p = 3 x : (x e S) A p 

In these expressions, the bound variable x may not occur in the expression S. 
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TLA+ uses the customary abbreviations for multiple quantification: 
V x\ , . . . , x n : p and 3 x\ , . . . , x n : p. For example 

Vx,y,z : P = Vj; : Vy : V z : P 

The general form of bounded universal quantification is 

V qi e Si, . . . , q n e S n : p 

where each q^ is either a list x\, . . . , x m of variables or a tuple (x\, . . . , x m ) 
of variables. (See Section 1.6 for a discussion of tuples.) None of these bound 
variables may appear in any of the Sj. Existential quantification is similar. For 
example, 

3 (x, y) e S , z, w e T : p — 

3x, y, z, w : ((x, y) e S) a (z e T) a (w e T) A p 

where neither x, y, z, nor w may appear in S or T. 

An expression begun by V or 3 , is terminated by the end of the statement or 
expression that contains it. The containing expression may be ended by some form 
of right parenthesis, by indentation rules (see Section 1.3.3), or by the end of a 
statement containing the expression. 

1.2.3 The CHOOSE Operator 

The CHOOSE operator is known to logicians as Hilbert's s [4]. If there is an x such 
that p holds, then CHOOSE x : p equals some such x. If there is more than one 
such a;, it is not specified which one is chosen. If there is no such x, then the value 
of CHOOSE x : p is unspecified. 

The most common use for the CHOOSE operator is to "name" a uniquely spec- 
ified value. For example, one possible definition of the operator / on the set Real 
of real numbers is: 

r/s = CHOOSE v : (v e Real) A (v * s — r) 

If r is a nonzero real number, then there is no real v such that v *0 — r. Therefore, 
r/0 has a completely unspecified value. We don't know what a real number times 
a string equals, so we cannot say whether or not there is a real number v such that 
v * "abc" equals r. Hence, we don't know what the value of r/"abc" is. 

The CHOOSE operator is often used in the following idiom, which defines 
notAnS to be some arbitrary element not in S. 

notAnS = CHOOSE x : x £ S 
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The CHOOSE operator cannot be used to introduce nondeterminism. If q is 
equivalent to p, then CHOOSE x : q equals CHOOSE x : p. Hence, CHOOSE 
"chooses the same value every time." 

A CHOOSE expression, like a quantifier expression, is ended by the end of the 
expression or statement that contains it. 

1.2.4 Typeless Logic 

Because TLA + is completely untyped, an expression like 3 A "abc" is legal. We 
can therefore ask whether it equals "abc" A 3, and whether (3 A "abc") V ->(3 A 
"abc") equals TRUE? There are two reasonable ways to define the semantics of the 
Boolean operators which give two sets of answers to such questions. 

In the weak semantics, one knows nothing about the meaning of an expression 
like a A b if a and b are not both Booleans. With this semantics, 3 A "abc" need 
not be a Boolean, and there is no reason to expect it to equal "abc" A 3. We can 
reason about logical operators only when applied to Booleans. 

In the strong semantics, a A b is a Boolean regardless of what a and b are, and 
logical operators obey most of the usual laws. In particular, a A b equals b A a 
for any a and b. The easiest way to define the strong semantics is to assume an 
operator *I> such that *(e) is a Boolean for every e, and *(e) equals e if e is a 
Boolean. We then define the logical operators so that, for example, a A b equals 
*(a) A *(&), for all a and b. 

The strong semantics is more convenient to use when writing proofs, because 
we can apply the laws of logic without having first to prove that the arguments of 
Boolean operators are Booleans. However, when writing specifications, we should 
assume only the weak semantics. The meaning of a specification should never 
depend on the value obtained by applying a Boolean operator to a nonBoolean. 

1.3 Miscellaneous Operators 

1.3.1 Constructs Stolen from Programming Languages 

The expression 

if p then e\ else ei 

equals e\ if p is true, otherwise it equals ei- The case expression is defined by 

casepi ->• eiD . . . Up n ->• e„ = 

CHOOSE $x : Oi =>• ($x — ei)) A . . . A (p n ($x = e„)) 

In the case expression, p n can be other, which is an abbreviation for ->(p\ v . . . v 

Pn-l)- 
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Like a quantifier expression, an else clause or the final arm of a case expres- 
sion is terminated by the end of the statement or expression that contains it. This 
rule means that if one case expression appears within another, then the inner case 
encompasses as much of the expression as possible. For example 

case pi — >• a + case pi —> ei □ P3 —> e?, □ p\ —> 

is parsed as 

case pi — >• a + (case pi —> e-2 □ P3 —> □ p\ — >• 

if none of the pi are other expressions. If pi, is other, then the only possible 
parsing is 

case pi -> a + (case p2 -> e2 □ other -> 63) □ P4 -> eA, 

It is good practise to enclose an inner case in parentheses to avoid ambiguity. (Per- 
haps this practise should be required by the language syntax, but at the moment it 
isn't.) 

1.3.2 The let Construct 

The let construct allows one to make and use local definitions within an expression. 
For example 

let a; = a * c 

F(n) = (a + b + c)"n 
in x * F(l) + F(2) + F(2 + x) 

equals 

(a * c) * (a + b + c) " 1 + (a + b + c) ~2 + (a + b + c) " (2 + (a * c)) 

The identifiers x and F must not have a meaning in the context where the let 
expression appears. 

1.3.3 Junction Lists 

TLA+ uses the notation for conjunctions and disjunctions explained in [2]. A list of 
formulas prefixed by A or v denotes the conjunction or disjunction of the formulas, 
and indentation is used to eliminate parentheses. For example: 

AvivB 
v C 

A V D 

v E A F 
v G 
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equals (04 v B) v C) A (D v (E A F) v G). The following are the precise rules 
for parsing a bulleted list of conjuncts or disjuncts, where general parentheses pairs 
are (),{},[], and ( ). 

• The A or v tokens must line up. 

• Each conjunct or disjunct is terminated by either the end of the entire ex- 
pression or else the first token, not appearing inside general parentheses, that 
appears at the same vertical position or to the left of its A or v. (In the ASCII 
representation, the position of a symbol is that of its first character.) 

1.4 Sets 

1.4.1 Infix and Prefix Operators 

TLA + uses the conventional infix operators for sets: e (\in), ^ (\ not in), 
n (\cap), U (\cup), and c (\subseteq). The operator \ denotes set differ- 
ence; A \ B is the set of elements in A that are not in B. 

The operators — and ^ (# or /=) should be used for equality and inequality of 
nonBoolean values. Although = can be used for equality of Boolean values, we 
prefer to use = in that case. (The precedence rules encourage this use.) 

In TLA + , SUBSET is the powerset operator, so SUBSET S is the set of all sub- 
sets of S. Thus, S € SUBSET T is equivalent to S C T. We write UNION S 
(instead of the more conventional U S) for the union of all the elements of S. For 
example, UNION {S, T] equals S U T, and UNION (SUBSET S) equals S, for any 
sets S and T. The UNION and SUBSET operators can be confusing. Until you 
get used to them, you may want to write comments describing typical elements of 
each set in each subexpression in which they appear in your specifications. 

The operators fl, U, \, SUBSET , and UNION all have equal precedence, which 
is higher than the precedence shared by — , j^, e, and c. That precedence is in 
turn lower than the precedence of -> (the highest-precedence Boolean operator). 
TLA+ adopts the principle that eliminating ambiguity is more important than sav- 
ing keystrokes. Therefore, operators are given equal precedence if there is any 
reasonable doubt about their relative precedence. 

1.4.2 Set Constructors 

Finite sets can be enumerated explicitly with an expression of the form 
{ei,...,e„}, which denotes the set whose elements are the ej. For example, 
{1, 2, 1, 3, 2, 3} is the set consisting of the three elements 1, 2, and 3. The empty 
set is written { }. 
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TLA + provides two set-constructing operators that are often confused. The 
first is the subset constructor {x e S : p}, which denotes the set of all elements of 
S satisfying p. For example, {x e Nat : x < 3} equals {0, 1, 2, 3}, where Nat is 
the set of natural numbers. The second is the set-of-all constructor {e : x e S}, 
which denotes the set of expressions of the form e, for all x in S. For example, 
{2 * n : n £ Nat} is the set of even natural numbers. In the expressions {x e S : p} 
and {e : x e S}, the bound variable x may not occur in S. 

The subset constructor also has the form 

{(xi, ...,x n )eS : p] 

which is defined to equal 

{x e S : 3xi, ...,x n ■ (x - {xi, . . . , x n )) Ap} 

where the Xi are variables that may not appear in S. The set-of-all constructor has 
the general form 

{e : qi e Si, . . . , q n e S n } 

where the q^ and Si are the same as for bounded quantifiers — each </j is either a 
list or a tuple of variables, and none of these bound variables may appear in any of 
the Si. For example, 

{e : x e S , y e T} = union {{e : x e S} : y e T} 

In set theory, logical inconsistencies (such as Russell's paradox) are avoided 
by restricting the kinds of collections that are sets. These restrictions are built into 
the TLA+ operators, which make it impossible to build sets that are "too big". For 
example, the collection of all finite sets is not a set. However, the set of all finite 
sets of natural numbers is a set, and can be written using the TLA+ operators. 

1.5 Functions 

1.5.1 Functions and their Domains 

In conventional mathematics, a function is a set of ordered pairs satisfying certain 
properties. In TLA+, we do not specify any particular set-theoretic representation 
of functions. We simply assume that there is a certain kind of set called a function 
that has a domain. Function application is denoted by square brackets, so/[e] is 
the value obtained by applying / to e. The expression /[e] is meaningful even if e 
is not in the domain of /, or if / is not a function; but we have no way of specifying 
what the meaning of /[e] is unless / is a function and e is in its domain. 
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The expression DOMAIN/ equals the domain of /, if / is a function. The 
expression [S — > T] denotes the set of all functions with domain S and range a 
subset of T. In other words, / is in [S — > T] iff it is a function with domain S 
such that f[x] e T for all x € S. 

The TLA + notation for a "lambda expression" is the function constructor 
[x e S \-> e], which equals the function / whose domain is the set S, such that 
f[x] equals e for each x in S. For example, [i e Nat \-> i + 1] defines the succes- 
sor function on the set Nat of natural numbers. An expression / denotes a function 
iff / equals [x € DOMAIN / h-> f[x]], where a; is a variable that does not occur in 
/• 

1.5.2 The except Construct 

Functions If / is a function, then [/ EXCEPT ! [ej — e 2 ] equals the function / 
that is the same as / except with /[ej = e 2 . Formally, 

[/ except ![ei] = e 2 ] = [x e domain/ if x — e\ then e 2 

else f[x]] 

where a; is a variable that does not occur in the expressions /, e\, or e 2 . Think 
of [J EXCEPT ![ei] — e 2 ] as the function obtained from / by the assignment 
/[ei] := e 2 . 

The character @ appearing in the expression e 2 stands for/[ei]. For example, 
[Fen EXCEPT ! [3] — @ * 5] is the function / that is the same as Fen except that 
/[3] equals Fcn[3] * 5. Think of @ as an abbreviation for the "old value" of / 
applied to e i . 

The EXCEPT notation is generalized in two ways. First, we let 
[/EXCEPT ![ei]...[e„] = e] be the function obtained from / by the as- 
signment /[ei]...[e„] := e, where @ in e denotes /[ei]...[e„]. Formally, 
[/EXCEPT ![ei]...[e„] = e] equals 

[/ EXCEPT ! [ei] = [@ EXCEPT ! [e 2 ] = [@ ... EXCEPT ! [e„] = e] . . .] 

Next, we let [f EXCEPT ![...] = e\, ... , ![...] = e„] be an abbreviation for 

[...[/ EXCEPT ![...] = ei] EXCEPT ... ![...] = e„] . . .] 

Think of [f EXCEPT ! [2] [7] = @ + 1, ! [3] [5] = @ +2] as the array obtained from 
/ by performing the two assignments 

/[2][7] := /[2][7] + 1 ; /[3][5] := /[3][5] + 2 
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Sets of Functions It is also convenient to have a notation for sets of functions 
that differ from / only in their value on some element in their domain. We let 

If except ![e] e SI 

be the set of all functions 

[f EXCEPT ![e] — x] 

with x € S (assuming x does not appear in the expression / or S). This set is 
written in ASCII as 

{ |f EXCEPT ! [e] \in S| } 

There is a similar @ convention to the one described above. For example, 
\[Fcn EXCEPT ! [3] e {@, @ + 1}]} is the set consisting of the functions Fen and 
[Fen EXCEPT ! [3] = @ + 1]. 

We generalize the {[/ EXCEPT ![ei] e e2]} construct in the same ways we 
generalized the construct [f EXCEPT ! [ei] — ej\ above. For example, 

\j except l[a][b] e S, ![c] e TJ 

is the set of all functions 

[f except \ [a][b] = s, ![c] = t] 

with s e S and t e T. There is also one additional abbreviation: we can write 
"— e" instead of "e {e}". For example, 

{[/except ![a][7]€5, ![6] = <rt 
is the set 

{ [J except ! [a][7] — s, ! [b] = g] '. s £ 5} 
1.5.3 Recursive Function Definitions 

TLA+ does not allow recursive definitions of operators. However, using CHOOSE, 
it is easy to write recursive function definitions. For example, the classic recursive 
definition of the factorial function on the set of natural numbers can be written as 

Fact = CHOOSE / : f = [n e Nat \-> if n — 0 then 1 

else n * f[n — 1] ] 

TLA + provides the following abbreviation for this definition: 

Fact[n : Nat] = if n = 0 then 1 

else n * Fact[n — 1] 



12 



In general, / [x : S] — e is an abbreviation for 
/ = CHOOSE/ \ f — [x & S i— > e] 

The bound variable x may not appear in S. 

Although TLA + does not allow recursive operator definitions, recursive func- 
tion definitions can often be used to define operators. For example, the following 
defines the operator Cardinality so that if S is a finite set, then Cardinality (S) is 
the number of elements in S. 

Cardinality (S) = let F[T : SUBSET S] = 

if T = {} 
thenO 

else 1 + F[T \ {choose t : t e T}] 
in F[S] 

1.5.4 Functions Versus Operators 

It is important to understand the distinction between an operator like Cardinality 
and a function like Fact. If / is a function, then / and f[x] are both expressions. 
Hence, both 1 + f[x] and 1 + / are syntactically legal expressions. (What they 
mean will depend on the definition of +.) If 0 is an operator that takes a single 
argument, then 0(e) is an expression, for any expression e. However, 0 by itself 
is not an expression. One can write 1 + 0(e), but 1 + 0 is nonsense — it is not 
a syntactically valid expression. Writing "1 + 0" makes as little sense as writing 
"1 + ("or"0 + +". 

Since functions are expressions, they are often more convenient to use than 
operators. However, a function has a domain, which is a set, and it is possible to 
specify the value of f[x] only for x in its domain. One cannot define a function / 
such that f[S] equals Cardinality (S) for every finite set S. The domain of such a 
function would have to be the collection of all finite sets, and that collection is not 
a set. 

The most common use of functions is as the values of variables. In a program 
written in a conventional programming language, one often declares a variable x 
to be an array variable indexed by some set S. In a TLA + specification, one lets x 
be a variable whose value is always a function with domain S. 

1.6 Tuples and Functions of Multiple Arguments 

In TLA + , (ei, . . . , e„) denotes an ordered n-tuple. TLA + provides the usual 
Cartesian product notation, where Si x ... x S n is the set of all n-tuples 
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( e\, . . . , e„ ) with each e* in SV Unlike conventional mathematics, TLA+ defines 
the n -tuple ( e\, . . . , e„ ) to be the function with domain { 1 , . . . , n] that maps i to 
ej. Thus, if e is a tuple with at least i components, then e[i] is its ith component, 
for any positive integer i. In particular, the zero-tuple ( ) is the unique function 
with empty domain. 

A function of multiple arguments is a function whose domain is a Cartesian 
product. We can write f[e\, . . . , e„] as an abbreviation for /[(ei, . . . , e n }]. The 
general form of an explicit function constructor is 

[qi € Si, . . . , q n e S n h> e] 

where the qi and Si are the same as for bounded quantifiers — each q^ is either a 
list or a tuple of variables, and none of these bound variables may appear in any of 
the Si. For example, 

[{x,y) eS,zeT^ e] 

is equivalent to 

[w e S x T h> let x = w[l][l] y = w[l][2] z = w[2] 
in e] 

if w does not occur in S, T, or e. 

The EXCEPT construct and recursive function definitions extend in the obvi- 
ous way to functions of multiple arguments. For example, the general form of a 
function definition is 

f[qi : Si, . . . , q n : S n ] = e 

where the qi and Si are as before. 

1.7 Strings and Numbers 

A string is written ". . . ", as in "abc". Formally, the string "abc" is a 3-tuple, so 
it equals ("abc"[l], "abc"[2], "abc"[3]). The elements of this 3-tuple (the three 
letters making up the string "abc") are unspecified. Of course, "" equals ( ). The 
set of all strings is written STRING. 

A sequence of digits is a number. Formally, the sequence 376 of digits de- 
notes Numeral ("37 '6"), where Numeral must be a defined operator. The Naturals 
module defines Numeral so that Numeral ("37 '6") equals the number 376. (More 
precisely, Numeral ("37 '6") equals the value that represents the number 376 in the 
particular representation of the natural numbers defined by the Naturals module.) 
Since 376 is equivalent to writing Numeral ("37 '6"), it is an error to write 376 in 
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a module where Numeral is not denned — which usually means in a module that 
does not extend or instance Naturals or some other module that defines numbers. 

The Naturals module also defines the set Nat of natural numbers, and the 
following infix operators: 

+ — (substraction) * (times) " (exponentiation) < < > > 

Decimal numbers are defined in terms of the Decimal operator. For example, 
3. 14159 is an abbreviation for Decimal("3" , "1 41 59")- The Reals module defines 
Decimal appropriately. 

1.8 Records 

TLA + provides notation for records, which are like the records of conven- 
tional programming languages. The xyz component of a record r is written 
r.xyz. The expression [hi \-> e\, . . . , h n e„] is the record r with compo- 
nents hi, h n such that r./ij equals e*, for i = l,...,n. The expression 
[hi : Si, . . . , h n : S n ] is the set of all records r with components hi, h n 
such that r.hi is an element of the set Si, for i = 1, . . . , n. In other words, 

[hi : Si, . . . , h n : S n ] — 

{[hi i->- ei, . . . , h n i->- e„] : e\ € Si, . . . , e„ e 5„} 

In both of these notations, n has to be at least one; [ ] is not a legal expression. 

In TLA + , a record is a function whose domain is a finite set of strings, and 
r.xyz is an abbreviation for r["xyz"]. Taking l.xyz to be an abbreviation for 
!["xyz"], the EXCEPT notation applies to records as well as functions. For ex- 
ample [r EXCEPT ! .h[e] = @ + 1] is the recorder that is the same as r, except T.h 
is the function that is the same as r.h except T./i[e] equals r.h[e] + 1. 

Because records are functions, one can always write r["f00"] instead of r.foo 
and can use function constructors for expressing records. This can be quite useful 
at times. 

2 Action Operators 

The action operators of TLA + come from TLA. They are listed in Figure 3 on 
page 4. Except for these operators are all described in [3]. 

TLA has two classes of variables: rigid variables and flexible variables. Rigid 
variables are called constants in TLA + . They are the variables of ordinary predi- 
cate logic. The bound variables introduced by the constant operators of Section 1 
are rigid variables. Flexible variables are called simply variables in TLA + . 
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An action is a Boolean formula that may contain primed and unprimed flexible 
variables. In an action, an unprimed instance of a variable denotes its value in 
"the current state", and a primed instance denotes its value in "the next state". For 
action reasoning, x and x' can be considered to be completely unrelated variables. 

The action operators of TLA+ can be defined in terms of primed variables as 
follows. (These definitions are applied from the inside out, replacing the arguments 
of an operator by their definitions and then replacing the operator by its definition.) 

p' Equals p with every flexible variable x replaced by its primed version x' . 
[A] e Equals A V (e' = e). 
(A) e Equals A A (e' + e ). 

Enabled A Let x\, . . . , x n be the flexible variables that occur primed in A, let 
x\, . . . , x~n be new rigid variables that do not occur in A, and let A be 
the formula obtained from A by replacing each occurrence of x\ by x}, for 
i = 1, . . . n. Then Enabled A equals 3 x\, . . . , x^ : A. For example 



Enabled (x' * x = y' * z) — 33", 'y : H; * x = 'y * z 



UNCHANGED e Equals e' - e. 

A ■ B Equals the composition of the actions A and B. Intuitively, it is the action 
that first does A then B. More formally, let x\, . . . , x n be all the flexible 
variables that occur primed in A or unprimed in B, let x\, . . . , x^ be new 
rigid variables that do not occur in A or B, let A equal A with each x^ 
replaced by x], and B equal B with each Xi replaced by a^. Then A ■ B 
equals 3 x\, . . . , x n '. A A B . For example, 



(: 



, x /a z' — x * y' e w' 

A x + y - x = z\ | , y 

Az>y' + 1 J' \ Ay t W 

y 7 \a x' > y + z 



A 



Ax + y — x = z\ I ^ , ^ 

Az>y + 1 ) A ^ 
y 7 \A x' > y + z 

(The TLA + convention of using bulleted lists of conjuncts and disjuncts is 
explained in Section 1.3.) 
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3 Temporal Operators 

A temporal formula is one that is true or false of a behavior, which is an infinite 
sequence of states. The TLA operators for writing temporal formulas are listed in 
Figure 4 on page 4. The temporal quantifiers have the same generalizations as the 
unbounded predicate-logic quantifiers — for example, 3 x\, . . . , x n : F. 

The temporal operators of TLA + are all described in [3] except for -V, which 
is introduced in [1]. (This operator is used only for assumption/guarantee specifi- 
cations.) They are defined in terms of □, and 3 as follows. 

OF Equals -*U->F. 

WF e (4) Equals (DO-Enabled (A) e ) v (nO(4) e ). 
SF e (4) Equals (OD-Enabled {A) e ) v (UO{A) e ). 

G Equals U{F OG). 
V x : F Equals ->3x : ->F. 

F ±> G This formula asserts that G remains true at least one step longer than F 
does. (And G remains true forever if F does.) A formula H is true for 
the first k steps of a behavior iff there is some way to continue those steps 
to a complete behavior for which H is true. This leads to the following 
formal definition of F -4> G. 

Let x be the tuple (x\, . . . , x n ) of all flexible variables that occur free 
in F or G; let xbe an n-tuple of flexible variables (x[, . . . , x~^) distinct 
from any variables appearing (bound or free) in F or G; let F and G be 
the formulas obtained from F and G by substituting the variables x] for 
the corresponding variables Xi, and let b be a flexible variable distinct 
from the Xi and x}. Then F 4> G is defined to equal 

: A (b = TRUE) A □[&' — FALSE] b 

a3x\, . . . ,x~^ : F A □(&=>• (x = x)) 

3x[,...,x^ : G a (x = i) A □[& (x' =x')](6 > x,x) 
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